1 files changed, 12 insertions, 3 deletions

diff --git a/etc/proxy-server.conf-sample b/etc/proxy-server.conf-sample
index 5b6313479..cade60751 100644
--- a/etc/proxy-server.conf-sample
+++ b/etc/proxy-server.conf-sample
@@ -776,9 +776,18 @@ use = egg:swift#decrypter
 [filter:keymaster]
 use = egg:swift#keymaster
 
-# Sets the root key from which encryption keys are derived. Change before
-# first use. After that, changing the key may result in data loss.
-encryption_root_secret = change_before_use
+# Sets the root secret from which encryption keys are derived. This must be set
+# before first use to a value that is a base64 encoding of at least 32 bytes.
+# The security of all encrypted data critically depends on this key, therefore
+# it should be set to a high-entropy value. For example, a suitable value may
+# be obtained by base-64 encoding a 32 byte (or longer) value generated by a
+# cryptographically secure random number generator. Changing the root secret is
+# likely to result in data loss.
+# TODO - STOP SETTING THIS DEFAULT! This is only here while work
+# continues on the feature/crypto branch.  Later, this will be added
+# to the devstack proxy-config so that gate tests can pass.
+# base64 encoding of "dontEverUseThisIn_PRODUCTION_xxxxxxxxxxxxxxx"
+encryption_root_secret = ZG9udEV2ZXJVc2VUaGlzSW5fUFJPRFVDVElPTl94eHh4eHh4eHh4eHh4eHg=
 
 [filter:encrypter]
 use = egg:swift#encrypter